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Executive Summary 


In a cybercrime ecosystem dominated by thousands of fraudulent releases on a daily basis that also 
includes modular and open-source malware and the rise of DIY (do-it-yourself) malware-generating 
kits, including cybercrime-as-a-service type of underground market fraudulent propositions, it 
shouldn’t be surprising that among the key driving forces behind the rise of today’s modern cybercrime 
ecosystem remain the use and the utilization of bulletproof hosting provider infrastructure which 
basically allows novice and experienced cybercriminals to host their malicious releases such as 
malware, spam, and phishing campaigns online for as long as possible. All of this is done largely 
thanks to a growing trend and the rise of bulletproof hosting providers, which basically offer advanced 
and sophisticated hosting services for cybercriminals and their releases, potentially increasing the 
average online time for a fraudulent and malicious campaign for the purpose of improving its QA 
(Quality Assurance) and making it harder for the good guys to take it offline. This, in turn, potentially 
causes financial loss and actual campaign shutdown activity and downtime for the bad guys to deal 
with. 


Thanks to the modern and vast infrastructure of WhoisXML API and its billions of IP and domain 
records, which also includes historical and current WHOIS records, it’s becoming increasingly easy for 
novice and experienced cybercrime researchers, investigators, and threat intelligence analysts to map 
and respond to modern cyber attack and cybercrime trends that also includes bulletproof hosting 
providers with the idea to map their infrastructure while looking for personally identifiable information 
and leads, in terms of cyber attack and cyber campaign attribution as well as also attempting to take 
down and offline a rogue and bulletproof hosting provider’s infrastructure. Doing that can potentially 
cause widespread damage and financial loss for the bad guys and potentially disrupt their malicious 
and fraudulent activities online. 


In this article we'll discuss the use of Maltego in combination with WhoisXML API for the purpose of 
mapping and exposing a currently active bulletproof hosting provider using a variety of means and 
techniques, potentially attempting to build a working case and actually to try to take it offline in addition 
to actually revealing currently active fraudulent and malicious Web sites hosted on the bulletproof 
hosting provider’s infrastructure including to present an OSINT research and enrichment case study 
on one of the websites which we found on the bulletproof hosting provider’s infrastructure, which is 
basically a high-profile online E-shop offering access to stolen credit cards. 
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01. Introduction to WHOIS XML API 


WhoisXML API is one of the Web’s and the security industry’s primary destinations for threat 
intelligence and cybercrime research, including OSINT types of domain, IP, and current and historical 
WHOIS data records with billions of domain, IP, and WHOIS records within WhoisXML API’s database. 
Novice and experienced cybercrime researchers and threat intelligence analysts, including OSINT 
experts and analysts, should consider adopting WhoisXML API’s products in their arsenal of OSINT 
tools and public database repositories and databases, largely considering the tools offered as their 
primary information sources and threat intelligence gathering solutions and publicly accessible 
databases for using them in their current and ongoing OSINT and cybercrime analyses including 
threat intelligence type of investigations. 


02. How to get a proper account 


Cybercrime researchers and threat intelligence analysts interested in obtaining access to one of the 
Web's and the industry’s most comprehensive and in-depth data set of real-time and historical domain 
IP and WHOIS information should grab an account from the following URL - 
https://main.whoisxmlapi.com/signup for the purpose of beginning their OSINT and cybercrime 
research including their threat hunting and threat intelligence gathering process. 


Product Tier 1 Tier 2 Tier 3 Tier 4 Tier 5 Tier 6 Units 

WHOIS and Bulk WHOIS 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
Domain Availability 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
IP Geolocation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
IP Netblocks 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
DNS Lookup 100,000 200,000 500,000 1,000,000 2,000,000 4,000,000 Monthly queries 
Email Verification 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Domain Reputation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Categorization 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Contacts 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 


Sample WhoisXML API Pricing Plans Web Site 
03. How to install Maltego 
For the purpose of this case study we'll use the popular OSINT gathering and enrichment tool Maltego, 


which you can grab from the following URL - https://www.maltego.com/downloads/ on your way to 
begin using and utilizing WhoisXML API’s advanced domain, IP, and historical and current WHOIS 


information and one of the Web’s and the industry’s most comprehensive and in-depth database. 
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Sample Maltego Download Web Site 
04. How to use the WHOIS XML API Maltego Integration 


Before using Maltego users should follow the instructions and grab a proper WhoisXML API account 
which they can later on use for the actual research and OSINT research and analysis, including the 
actual enrichment process. 


Cc 


4 y ee ee thefres hs tuffs at 


whoisxml 


To Domains and IP Addresses (Historical Reverse WHOIS Search) [WhoisXML] 


To Domains and IP Addresses (Reverse WHOIS Search) [WhoisXML] 


SULIOJSUBI | 


0:40:02 UTC 


B 


hos tingerza.net 


To Historical WHOIS Records [WhoisXML] 


To WHOIS Records [WhoisXML] 


@x%l8K2-OC 


Sample Maltego GUI Interface relying on WHOIS XML API’s for OSINT research and analysis and 
actual network and domain reconnaissance and footprint including actual enrichment 


Users should then proceed with the actual OSINT research and enrichment process by importing the 
domains and actual IPs for their research in questions directly into Maltego by using the import feature 
or by manually adding them for the purpose of actually beginning the actual OSINT enrichment and 
research process. 
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Sample WHOIS XML API Report for a Sample Stolen Credit Cards Selling E-Shop Found Within the 
Hosting Infrastructure of the Bulletproof Hosting Provider 


Domains (95) 

aarisingyoulimitedbehalf.net affitto-case-e-appartamenti-privati.com 
affordable-car.com afokergooharett.biz 
alipay-secure-cn.com allianzbank.org 
anagraficacliente.space appartamenti-case-italia-privati.com 
appartamenti-case-italia.com appartamenti-e-case-italia-privati.com 
appartamenti-per-privati-online-in-affitto.com appartamenti-per-privati-online.com 
areatitolari.info areatitolari.online 

arreach.ru b-n-l.org 

bancamps.net bancanazionale.online 
bancoposta.me bestgameever.xyz 

blanytread.com bnp-paribas.info 
bouygues-telecom.biz bouygues-telecom.org 
bouygues-telecoms.biz bouyguestelecoms.biz 
budget-vehicles.com carrefour-moncompte.info 
carrefour-moncompte.org cartetitolarimps.online 

cloudsurv.ru co-operative-bank.com 
co-operativebank.org commerzb.co 
confermaprofilopersonale.com confermaprofilopersonale.online 
confermaprofilopersonale.site controllodatipersonali.online 
db-ag.co decretoareatitolari.top 
decretopostesicurezza.info decretoprivati.info 
destockage-play4.com dorotamears.ru 

duda1.monster everydayparty.xyz 

fesiodano.com fidorbank.biz 

fidorbank.net fidorbank.org 
foighwenbasdbqwe.com foradocumentcontr.net 
genbasics.ru getbase.su 

hyperzon.com igiqwnedjgqwnqwemnta.net 
jamb2.monster landoftools.ru 

latinosabc.ru limzage.ru 

literabe.ru marcoplfind.at 

marcusd.ru maxigozo.com 
metrobank-online.info minikillltroygod.at 
moncompte-carrefour.online montepaschi.online 
montepaschidecreto.info myhomesitter.fun 
neorighoumters.at netflix-support.top 
ns1.neorighoumters.at ns2.neorighoumters.at 


Sample Related Domains Found Within the Bulletproof Infrastructure Provider’s Hosting Infrastructure 
Revealed and Exposed using WHOIS XML API's Database 


IPv4 Address 
m maltego.IPv4Address 


197.44.54.172 


Weight 100 
IP Address 197.44.54.172 
Internal false 


EG 


ns1.hostingerza.net 
ns2.hostingerza.net 
ns3.hostingerza.net 
ns4.hostingerza.net 


8452 
host-197.44.54.172-static.tedata.net 
host-197.44.54.172-static.tedata.net 
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Sample Bulletproof Hosting Provider’s IP Profiled and Exposed using WHOIS XML API’s Database 


05. Profiling a Bulletproof Hosting Infrastructure - A Case Study 


For the purpose of this case study, we'll profile and expose a currently active bulletproof hosting 
infrastructure provider and use a sample E-shop for stolen credit cards data as an example, including 
to actually offer in-depth and practical OSINT research and enrichment advice in the process of 
exposing the bulletproof hosting infrastructure provider and the actual E-shop for stolen credit cards - 
hxxp://thefreshstuffs.at. 


Thanks to the vast and comprehensive WhoisXML API database, we’ve managed to successfully 
profile and map the bulletproof hosting provider’s infrastructure including to actually expose related 
malicious and fraudulent domains hosted on the same bulletproof hosting provider’s infrastructure, 
which also includes a currently active E-shop for stolen credit cards information. 
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Sample Maltego GUI Graph relying on actionable threat intelligence on the bulletproof hosting 
infrastructure produced by WHOIS XML API’s database 


06. Basic OSINT Enrichment Process 


The E-shop in question (hxxp://thefreshstuffs.at) is currently offering stolen credit cards information 
for sale online where users who visit the website can freely register and grab an account and proceed 
with the actual purchase. The E-shop is currently the tip of the iceberg in terms of the OSINT data and 
information including threat intelligence research that we intend to share in a series of upcoming blog 
posts and actual white papers including case studies on how to properly use Maltego in combination 
with WhoisXML API for the purpose of giving your OSINT research and analysis activities the proper 
boost by using and utilizing one of the Web’s and the industry’s most in-depth and comprehensive 
domain, IP, and real-time and historical WHOIS records database. 


Sign in 
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Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


Checked: 12 pcs (Charged off 12 credits) 

‘CC_number Auth_code Auth_result Amount Void 
3400007 4a j : 

4430400056: 

42580845261 

4060958 
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Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


show hide batch oid: ( 
Them 
CCinfo ‘Auth code ‘Auth result Amount Void Merchant location ‘Typet ‘Type 2/Region ‘Bank ‘Country State City 
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5220-TX DAL Lx R F 
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474: 341:2203 1 Decline tee 75229:TX:DALLAS:DALLAS DEBIT PLATINUM = er 


BANK OF AMERICA, NATIONAL ASSOCIATION UNITED STATES 


Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


Recent batches: 


2018-07-17 13:46:45 
Cards found: 10 Cards checked: 10 —Credits charged off: 10 Status:done © show results download hide batch voia: G 


+ copy all cards on this page 
+ copy valid cards on this page 
+more about color of results read here 


Statistics: 
100} Approval 10 (100%) 


Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


Cards found: 16 Cards checked: 16 Charged off: 0.000116 BTC Status: done —showresults_ download hide batch eet 
Theme: Siy | Classic 
CC info Auth code Auth result Amount Void Bank_extra (?) 


Decline 04048:-ME:YORK:LIMERICK CLASSIC JPMORGAN CHASE BANK NA UNITED STATES 
Card No, Error 04217-ME:OXFORD:BETHEL CLASSIC WELLS FARGO BANK NA UNITED STATES 


Dediine 16025:PABUTLER:CHICORA CREDIT CLASSIC JPMORGAN CHASE BANK NA UNITED STATES 


Decline 80121:CO:ARAPAHOE LITTLETON PREPAID ‘SUTTONBANK UNITED STATES 
Decline 04022:ME:OXFORD:DENMARK CLASSIC JPMORGAN CHASE BANK N A UNITED STATES 


+ copy all cards on this page 
+ copy valid cards on this page 

+ more about color of results read here 

+more about Auth code and Auth result read here 


Statistics: 
[14] Card No. Error. 1 (6%) 

[51] Decine 1 (6%) 

[00] Approval 11 (68%) 

[05] Deciine 3 (18%) discount 50% 


+.Get paid for leaving a report 


Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


2018-06-40 08:51:32 = 
Cards found: 25 Cards checked: 25 —Credits charged off 20 © Status: done = showrresults download hide batch sori 


02105 | Card No. Error | 48160:MI-MONROE-MILAN ALASKA USA FEDERAL CREDIT UNION 


‘57040:SD-YANKTON:LESTERVILLE STAR SYSTEMS, INC 


021812 (94929:CAMARIN:DILLON BEACH CHASE BANK USA, NATIONAL ASSOCIATION UNITED STATES 
}35:2201 05 Decline 9.85 = 60941:1L:KANKAKEEHERSCHER CREDIT | GOLD/PREM USAA SAVINGS BANK | UNITED STATES | — = 


+ copy all cards on this page 
+ copy valid cards on this page 

+ more about color of results read here 
+ recheck unchecked cards 


Statistics: 
[14] Card No, Error, 2(8%) 

[S71 Serv Not Allowed 4 (4%) free! 
{00} Approval 18 (72%) 

[05] Decine. 4 (18%) free! 


Sample Web Site Screenshot of the Stolen Credit Card Selling E-Shop Hosted on the Bulletproof 
Hosting Provider Infrastructure 


Sample name servers used by the fraudulent and malicious E-shop for stolen credit cards 
information: 


ns1.hostingerza.net 37.34.176.372? 10800 
ns2.hostingerza.net 37.34.176.37? 10800 
ns3.hostingerza.net 197.44.54.172 ? 10800 
ns4.hostingerza.net 186.74.208.84 ? 10800 


07. Conclusion 


We expect to continue observing a rise in bulletproof hosting infrastructure providers including an 
increase in high-profile and cybercrime ecosystem relevant clients and underground market 
participants which we intend to continue profiling and exposing largely relying on the use of Maltego in 
combination with WhoisXML API’s integration which is basically one of the Web’s and the industry's 
most in-depth and comprehensive domain and IP including real-time and historical WHOIS database. 


